In SmartOS, Role Based Access Control (RBAC) offers system administrators a wide degree of flexibility and power for managing user access rights. One of the keys to using RBAC is managing access through a Rights profile shell. A Rights profile is a collection of administrative capabilities that system administrators can assign to a role or to a user.

System administrators can define specific commands normally reserved for root access that normal users can run from a specific profile. This eliminates the hazard of distributing root access to normal users who only need to run specific commands that require root access.

This topic points out the power of using pfexec as a replacement for sudo on a SmartMachine.

Sudo vs. pfexec

One of the main problems with sudo is the lack of privilege awareness. This means for normal users, sudo is an "all or nothing" proposition in terms of granting users access to the entire system. Like sudo, running a pfexec command is done by simply prepending pfexec before the command. The command will execute as if the user has root privileges provided the command is available to the profile shell.

Other advantages/disadvantages of using pfexec vs. using sudo are below.

Advantages of using sudo

Cross-platform compatible

Support for control of CLI arguments

Support for setting per command environment variables

Advantages of using pfexec

Offers complete granularity for defining privileges

Never have to expose root login credentials to normal users.

Taking away root privileges is as easy as removing the profile that grants root privileges from the user's account.